PARKERSBURG, W.V. (8/21/14)--Nearly 40% of data breaches come from inadvertent misuse of data by employees, according to a cybersecurity webinar held Wednesday.
The webinar, held by the West Virginia Credit Union League and TraceSecurity, was designed to help credit unions be more aware of cyberattack threats and implement best practices when it comes to data security.
"The NCUA regional director has publicly stated that credit union information technology security will be a top priority during current credit union examination cycle," said Rich Schaffer, league senior vice president. "From our perspective, we want to ensure credit unions have available options when complying with examiner requests. The cost and effort required to prevent an attack is lower, and seems more manageable, than it is to react to one."
A Ponemon Institute study of data breaches showed that that average financial cost to victims of a data breach averages $157 per consumer, when the breach is a result of malicious criminal intent. For companies that are hit with such attacks, the average cost is $3.5 million.
"Outside of financial losses, you've got reputational losses. If you're hacked ... that can lead to loss of business, and other costs, such as reimbursement and legal fees, are there too," said Charles Lybrand, an information security analyst with TraceSecurity.
Lybrand recommended companies undergo a vulnerability assessment, which consists of a scan of addresses within a system, such as a phone, computer or printer, and look for vulnerabilities. The vulnerabilities are then reported.
A penetration test follows, with the vulnerability data used to go after system weaknesses, including passwords, system defaults and secure folders, all of which can contain sensitive information.
According to Lybrand, hackers can gain access to data by using a public IP address of a credit union and attacking that IP address. Other attacks are what is known as "social engineering" attacks. These attacks can be carried out via phone or e-mail, with the hacker posing as an IT staff member, a human resources staff member or CEO asking for system information, passwords or personal information.
Social engineering attacks can also be carried out in person, with the hacker visiting a location and getting physical access to an institution's servers or other equipment.
"Someone can come in acting like a new employee, or even dress as pest inspector, and get in," Lybrand said. "I've run into chief information officers and IT professionals who say that will never work, but I've dressed up as a pest inspector, gone into an institution dressed in a uniform and said, 'I'm here to look at the mouse problem.' Next thing I know I'm back in a server room."
TraceSecurity is a CUNA Strategic Services alliance provider. The webinar, titled "Protecting Your Credit Union Against Cyberattacks," will be posted on TraceSecurity's website within the next few days.
Use the resource link below for more information. And use the second resource to access a recent related News Now story, "What NCUA examiners look for on cybersecurity efforts: NCUA Report."